“Alice, I have received a complaint from a patient that you may have committed a privacy breach,” said the clinic manager.
You told me what happened. You did not follow our clinic policies and procedures properly when you left messages for the patient about her follow-up healthcare appointments.
I want to work with you to review and improve our office procedures and training so that this does not happen again.
I also want you to take our privacy awareness training. We provide this training for all new employees during orientation. Sometimes we each need a refresher to remind us how we can maintain privacy, confidentiality, and security of our patients’ information each day.
Alice, you are a good employee I believe that you want to do your job better. Privacy of our patients' information is very important. Our policies and procedures help us to ensure that we are doing our jobs well. This is your warning; if this type of error happens again, I will need to take additional disciplinary steps.
If you have any questions, please talk to me, your supervisor or our Privacy Officer.”
Privacy breaches happen.
Healthcare providers are responsible to ensure that employees understand their roles and responsibilities. When a breach happens, we need to contain the breach, correct the problem, and prevent it from happening again.
[clickToTweet tweet=”Do you have an office policy about when and how you should leave telephone messages for patients?” quote=”Privacy awareness training will prevent breaches and may be used as part of the strategy to prevent recurrence.”]
Privacy awareness training happens throughout the year. Informal training that is timely – say, the news item of the latest privacy breach – are great opportunities to reinforce key messages. Use ‘what if that happened to us, what would we do?’ to discuss lessons learned and improve your current practices, if necessary.
Review near-miss privacy and security incidents in your practice. This is the ideal time to discuss and fix potential problems before they become breaches.
The Privacy Officer may create and deliver the training and will monitor, supervise, and support the training.
Use a variety of written and multi-media content like
lunch ‘n learn discussions
to reinforce key messages. People love games, challenges, and cyber competitions, too, as a way to create variety and interest in privacy and security.
Privacy awareness training alone won’t guarantee that mistakes or errors in judgement won’t happen, but the healthcare provider and employer are legally responsible to take reasonable steps prevent privacy and security breaches.
Do you have a privacy awareness training program for your healthcare practice?discipline, health care, healthcare, healthcare provider, primary healthcare, privacy, privacy awareness, privacy breach, privacy breach sanctions, training
If you access personal health information without authorization, this is a privacy breach.
You can be charged with a fine under the HIA and can face penalties, fines, and sanctions from your professional association.
How frequently are people being charged under the Health Information Act in Alberta for improper access to health information?
“This year alone, there has been one conviction and two charges for improper access of health information. The office is also investigating more than a dozen cases, and they all have the potential to become offence investigations.” Medical record privacy breaches an ‘epidemic' in Alberta,' says commissioner CBC News Posted Oct 15, 2015.
An investigation by the Alberta Office of the Information and Privacy Commissioner (OIPC) has resulted in 26 charges being laid against an individual under the Health Information Act (HIA) as reported in a OIPC News Release December 1, 2015. An incident at the Alberta Children’s Hospital in Calgary was reported by Alberta Health Services to the OIPC. The OIPC conducted an investigation and upon completion of the investigation charges were laid against the individual who allegedly gained access to health information in contravention of HIA.
This is the sixth time charges have been laid under provisions of HIA. The maximum penalty for each offence is $50,000.
Who is a custodian?
The custodian (as defined by HIA a ‘custodian' includes physicians, pharmacists, dentists, chiropractors, optometrists, Alberta Health Services, Minister of Alberta Health and more). The custodian is responsible to take reasonable steps prevent privacy and security breaches including providing privacy awareness training.
Do you have a privacy awareness program?
Do you have a privacy awareness program in your practice that everyone must attend? This includes healthcare providers, students, residents, office staff and, yes, even the non-patient care employees like cooks, cleaners, and maintenance staff.
Have you seen this?
fines, Health Information Act, HIA, privacy awareness training, privacy breach
Jean will be presenting at the 2014 Saskatchewan Connections Conference on Wednesday June 4, 2014 at the beautiful Delta Regina. Saskatchewan's Access, Privacy, Security & Records Management Forum
1B: Managing a Privacy Breach: 3 Mistakes in Managing a Privacy Breach
Dealing with a privacy breach in your clinic can be stressful and confusing. What should you do? Who should you contact? In this presentation, learn the 3 common mistakes made when managing a privacy breach. Learn from someone else's mistakes!
In a fun and informative format Jean will present key principles to manage a privacy breach – and 10 key steps to prevent a privacy breach! Discussion will include proactive privacy and privacy by design principles to keep your practice breach free.
Let your colleagues know that you plan to attend this event! Follow Twitter @SK_ConnectionsPractical Privacy Coach, privacy breach
An Australian medical center is facing the possibility that its patients’ electronic medical records may be locked away forever after hackers broke into its computer system in December and encrypted the files. The hackers captured a medical centre's data and demanded A$4000 to decrypt the information.
While this incident is rare it is a good lesson to ensure that you take control of your data. Ensure that it is secure. Ensure that your data is securely backed up and is segregated from your computer servers. Your must be proactive and monitor your computer network. This may be an appropriate task to outsource to a reputable vendor. Are your plans comprehensive? Is it time for you to schedule your Privacy Practice Review?
See the Technology for Doctors Online story from January 17, 2013, for more information.backup, best practices, breach, computer network, encryption, external hard drive backup, privacy, privacy breach, privacy practice review, security, security external hard drive devices, segregated backup
A self-reported breach by an individual to the Office of the Information and Privacy Commissioner resulted in an offence investigation being opened into suspicious access to health information. The completed investigation, after being referred to Crown prosecutors at Alberta Justice, led to thirty-one charges under the Health Information Act being laid for improperly accessing other individuals’ health information. Another charge was laid for inappropriate use of health information, another for inappropriate disclosure of health information, and one more charge for knowingly falsifying a record. In addition to these thirty-four charges under the Health Information Act, six charges were also laid under the Criminal Code.
The Calgary Herald reports that Brian Hamilton, OIPC Director for the Health Information Act, would only confirm the accused is not a doctor or other medical professional. The matter will be heard in Airdrie Provincial Court on Thursday, October 18, 2012.
The Edmonton Journal also reported that, in addition to the charges under the Health Information Act, the accused may face up to six Criminal Code charges.
Each organization has a responsibility to ensure that their employees (affiliates) receive education and training in their roles and responsibilities under the HIA. Information Managers can help you by providing training on-site and now by webinar. Click here for more information.
For more information, see:
the OIPC Website (http://www.oipc.ab.ca/Content_Files/Files/News/NR_Oct_2012.pdf)
http://www.edmontonjournal.com/health/Alberta+Justice+lays+charges+improperly+accessing+health+information/7399425/story.htmlaccess, Alberta, complaint, disclosure log, Health Information Act, HIA, improperly accessing health information, OIPC, privacy, privacy breach, training